Gitlab Bot
Monitor, alert, and discover sensitive data in your code for each merge request. Get instant feedback on any change you make in a merge request. Spectral Bot can be installed directly on organizations, user accounts, groups and grant access to specific Projects.
Integration Environment Variables
Name | Required | Description |
---|---|---|
SELF_HOSTED_GITLAB_DOMAIN | No | if you're running a self-hosted Gitlab provide the domain here. eg. https://my-gitlab-domain.com |
STRICT_MODE | No | If set to true, check status is based on all issues found in the modified files (even if the issues are old) |
SPECTRAL_TAGS | No | Tags list to run Spectral with, separated by commas (eg base,iac,audit). |
SPECTRAL_ENGINES | No | Engines list to run Spectral with, separated by commas (eg secrets,iac,oss). Default is 'secrets' |
SPECTRAL_DSN | No | Your Spectral DSN retrieved from SpectralOps (leave blank if you are using vault) |
GITLAB_WEBHOOK_SECRET | No | Any strong secret would be fine (leave blank if you are using vault) |
GITLAB_TOKEN | No | Generate it in your Gitlab profile -> Access Tokens, check the "api" scope (leave blank if you are using vault) |
SECRETS_VAULT | No | The vault you're storing your secrets in. Currently only supports aws_secrets_manager |
Using vault
Instead of storing your secrets directly on the configuration of your Lambda, it is recommended for you to use a vault instead.
In order to use a vault, it is needed to set another environment variable called SECRETS_VAULT
which contains the type of the vault you are using.
Available values:
- AWS secrets manager -
aws_secrets_manager
Currently, we are supporting AWS secret manager, but in the future we are planning to support more vaults.
In your vault, make sure you set the following 3 secrets in your vault:
Spectral_GitlabBot_GitlabToken
(for GITLAB_TOKEN)Spectral_GitlabBot_WebhookSecret
(for GITLAB_WEBHOOK_SECRET)Spectral_Dsn
(for SPECTRAL_DSN)
AWS Secrets Manager
If you are deploying using CloudFormation
or Terraform
, notice that the role created for the lambdas would give permission to perform secretsmanager:GetSecretValue
action only for those 3 secrets.
Deploy the Bot
Deploy using one of the following methods:
Cloud Formation
Terraform
Deploy AWS resources using our Terraform module (set the integration_type
param value to gitlab).
Docker
Go to our DockerHub repo for the Gitlab scanner and follow instructions.
Setup Gitlab Project Webhooks
Setup Gitlab webhooks by running the create_webhooks executable. Download it for Mac (digest), Linux (digest) or Windows (digest) and use it:
./create_webhooks -t GITLAB_TOKEN -u LAMBDA_FULL_URL -s WEBHOOK_SECRET -g GROUP_ID
This will setup webhooks for the projects under the group GROUP_ID (recursively). Look at ./create_webhooks -h
for usage.
Monitoring
It is highly recommended monitoring the bot errors. It can be done easily if the bot is hosted using AWS lambda through CloudWatch alarms.
To create an alarm do the following:
- In Cloudwatch, click on
Create Alarm
, and thenSelect Metric
. - Select the
Errors
metric for the lambda and click onSelect Metric
. - Set the statistic to be
Sum
and select the required period for the threshold measuring. - Under conditions, choose
static
threshold, chooseGreater
, and set the threshold value to at least 1. ClickNext
. - Insert to Emails be to be alarmed. Click
Next
, name the alarm and clickNext
again. - Go over the summary, and if everything makes sense to you - click OK.
That's it 💪
Now merge requests for all the projects you selected are protected by Spectral. Any issues found will be written as a note on the MR.
Updated 8 days ago